locked
Can I restrict a user to only use a particular Node Group? RRS feed

  • General discussion

  • I created a node group called "Rental_Group".  I would like for users that login to only be able to use the Rental_Group Nodes and not my other ones. Is this possiable?

    The HPC is in a AD environment.


    EdgarH

    Tuesday, November 20, 2012 6:30 PM

All replies

  • I don't think this functionallity is suported by HPC cluster manager.The workaround would be to implement a job dispatching server which verifies logged user and assigns particular node group to this user,so 'job submit' is executed from within the server.


    Daniel Drypczewski

    Wednesday, November 21, 2012 2:58 AM
  • Yes, but it's not built in.  You can write a custom submission filter to handle it, though - I used the sample code from the 2008 R2 SDK (specifically scheduler\filters\exe\submission jobsize) as a starting point.  That code changes job parameters based on the job size.  In your case - if you want all users to only use this node group - you'd just skip the checks and just change the JobTemplate property.  You'd have to create a Job Template that only uses your Rental_Group node group.

    If you want only certain users to use that node group, you can add to the code to have it query Active Directory for example - if they're in Group X, the submission filter should assign the job to Job Template X, which is configured to use only Node Group X.

    It's fiddly, but doable.

    Friday, March 8, 2013 7:00 PM
  • In addition to the other ideas presented, JobTemplates can be used for what you ask.

    For strict control you might combine JobTemplate permissions and/or the submission filter ideas.

    d

    Tuesday, March 26, 2013 9:52 PM
  • Job Templates can only be used if you have a way of assigning them, though, is my understanding.  Unless at the time of submission the job is manually assigned to a different template, jobs will only run using the default template, which doesn't allow for this sort of functionality.  Or have I missed a way to programmatically assign jobs to templates (other than a custom filter)?
    Tuesday, March 26, 2013 9:55 PM
  • You should be able to use ISchedulerJob.SetJobTemplate(): http://msdn.microsoft.com/en-us/library/microsoft.hpc.scheduler.ischedulerjob.setjobtemplate(v=vs.85).aspx

    Also, I think you can restrict permissions on templates to "force" the use of appropriate templates.

    A submission filter is yet another control.

    Given all of this I think you can enforce strong security if you need to.

    d

    Tuesday, March 26, 2013 10:37 PM
  • Using the SetJobTemplate property still requires either code somewhere to determine what to set it to, or a person setting it at time of submission, though, doesn't it?

    If you have any info on restricting permissions to force template use, I would love to get that.  I've tried it quite a bit and wasn't able to get it working, which is why I resorted to the filter.  If I can do it without, I'd certainly prefer to.

    Tuesday, March 26, 2013 10:50 PM
  • If you have a user Foo and a Job Template MyNodesOnly:

    1: you can add a "Foo deny all" ACL to the default template.  Foo can no longer submit jobs with this template (yes he/she can create).

    2: you can remove HpcUsers group from the default template ACL... this forces all user level accounts to use other templates.

    3: MyNodesOnly probably allows HpcUsers... so Foo can submit using this template already. 

    4: MyNodesOnly can have HpcUsers removed... and Foo added for Submit/etc.

    These sorts of ACL changes allow you to restrict users and templates.

    I am not a domain admin here so I can test only with known users (ie: not groups) so I cannot advise you there.

    d

    Tuesday, March 26, 2013 11:46 PM
  • Interesting - when I tried exactly that same scenario, it just died saying I didn't have permission to the template (it was still just trying to use default, even though I'd removed the group from that template and added it to another).  Is there anything that could affect how that behaviour works?
    Tuesday, March 26, 2013 11:49 PM
  • new jobs created (no matter how: ui, cli, psh, c#, rest...) must have the desired job template specified... if it is not explicitly set the default is used and JobSubmit fails with the error you report.

    try this pattern: job submit /jobtemplate:OnlyMyNodes hostname

    Here the template is explicitly specified...

    d

    Tuesday, March 26, 2013 11:51 PM
  • Right - that's what I was calling "manually setting", since you have to specify the template name.  In our case, we can't even do that, since we're submitting through a program that uses the API, and it's not exposing that field.  But even if it did, we don't want to have to specify it on each job.  We just want (and from what I read, the OP just wants) jobs from X user group to automatically go to node group X, without having to select anything special on each job.
    Tuesday, March 26, 2013 11:55 PM
  • Then the (cluster wide) filter is your only option.

    There is no built in "job template decision tree/router".  The default template is used unless explicitly overridden.   If your tools do not expose an override feature... all jobs will get the default.

    You can optimize the default for your largest set of users... but if you have complex user<->nodegroup mappings then a cluster wide submission filter is the point of extensibility that can be used to implement the mapping enforcement.

    I think you are there already.  My apologies for the odyssey. 

    Perhaps whosoever owns the intermediate app can be convinced to add the nodegroup decision tree (templates are not the only choice at that point).

    d

    Wednesday, March 27, 2013 12:04 AM
  • Do you have more info on the "nodegroup decision tree"?  I wouldn't say we want a complex mapping by any means - just 2 groups - so if it can be done without custom code that's easier to maintain in the future (assuming we can get access to that functionality).
    Wednesday, March 27, 2013 12:13 AM
  • I think custom code (filter or your submission app) is the only way to do what you want to do.

    d

     

    Wednesday, March 27, 2013 12:20 AM